744fd2fe8ca66a86f2988208ec0cf813aab99ed82fc98f72558b24a479ad6769

Analysis

max time kernel
18s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment advise.exe
Size

704KB
MD5

e9be0acd1e3ebab0f8d9524536c30607
SHA1

ae9b10f293b94ae842aa0bc70de24f1f37c6fc8b
SHA256

4768c40e4e564054947ac359d700d310abcdc8c476e8390e2adf28eac1aaea8f
SHA512

d39fc787b8fe9ff914429a2d779c69b84286cf026b66db4c66684b190987dcb231d46dc7a2837bfda40908cef5e675033d84913ebe41f8ebd1c1d9ebbd7aba43
SSDEEP

12288:aGCahkZ5zHYt9zzsIips8BBwxsy5aIA/wIgj3SPSRry8xiyxzg:aCK/29zToHD7yoEIMpsQzg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	payment advise.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1904	payment advise.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	payment advise.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 4060	1904	payment advise.exe	95
PID 1904 wrote to memory of 4060	1904	payment advise.exe	95
PID 1904 wrote to memory of 4060	1904	payment advise.exe	95
PID 1904 wrote to memory of 5064	1904	payment advise.exe	97
PID 1904 wrote to memory of 5064	1904	payment advise.exe	97
PID 1904 wrote to memory of 5064	1904	payment advise.exe	97

C:\Users\Admin\AppData\Local\Temp\payment advise.exe
"C:\Users\Admin\AppData\Local\Temp\payment advise.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGQLTQfzIGOib.exe"
  2⤵
  PID:4060
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGQLTQfzIGOib" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp

Filesize
1KB

MD5
a6c7a277e91dbfaf3785537fce946968

SHA1
e27616b7a62f6f463fa2d34c61bb06f8ae4e6b56

SHA256
52970bdb6db40a4e2cda01b4584f2568777eed77d72619cda34e11a61886b456

SHA512
16dfc4e7e6b24f79b4f67a58dafe089c3240d842ceda192369a744b1f20b6c01a9e3a07ea91ff9fda65bf2e0a8bc296a86a7904b4648a002de6c8b12a7127b36

Download Submit
memory/1904-8-0x0000000006760000-0x000000000676A000-memory.dmp

Filesize
40KB

Download
memory/1904-7-0x0000000006740000-0x0000000006748000-memory.dmp

Filesize
32KB

Download
memory/1904-3-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/1904-4-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1904-9-0x0000000006BE0000-0x0000000006C4A000-memory.dmp

Filesize
424KB

Download
memory/1904-6-0x0000000005800000-0x000000000581A000-memory.dmp

Filesize
104KB

Download
memory/1904-2-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/1904-0-0x0000000000760000-0x0000000000816000-memory.dmp

Filesize
728KB

Download
memory/1904-5-0x0000000005210000-0x000000000521A000-memory.dmp

Filesize
40KB

Download
memory/1904-10-0x0000000009210000-0x00000000092AC000-memory.dmp

Filesize
624KB

Download
memory/1904-20-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/1904-1-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4060-16-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4060-19-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/4060-18-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/4060-15-0x0000000004640000-0x0000000004676000-memory.dmp

Filesize
216KB

Download